Hey guys I have been tasked with assessing the security of an application that exists solely on the mainframe. Have any of you had any experience or have any suggestions as to how to attack something like this?

TN3270 emulator (I think there's a perl module you can use) and then your standard bruteforce type attacks.. I've never heard of a buffer overflow on a main frame, but then again, my experience is limited.

From what I remember though, there are very distinctly different errors for 'failed password with valid user' and 'invalid user' which can assist in determining whether a user is valid or not. But most OS/390 logins have very restrictive login attempt rules which requires manual unlocking of a locked account, so timing of attempts is necessary to allow a valid login in between X failed.

If you have an SNA server between your webapp and your DB2, that's also a point of failure to test.

Thanks trill, but unfortunately there is no web app. There is only the green screen. I have a terminal emulator already, but thanks for the suggestion anyway. I will also keep in mind the different error messages for failed logins.

Green Screen homey.. green screen.. AS/400 or OS/390.. although the AS/400 mostly used 5250 by default, I once saw one using 3270 as a default term emu.. oh wait, you did too.. it was that place that used 192.100.x.x.. you member?

That actually explains why someone would go through the pains of enabling 3270.. if it was 'him' accessing it, I'm sure he demanded it. heh..

The OS is AS/400. It is a homebrew COBOL app that has been running for about thirty 30 years, and no I am not exaggerating. That app has been around longer than I have.

thrill is correct, we have no mainframe linux going on here. Does anyone have any custom back end ways to interact with the mainframe other than through a terminal emulator? ActiveX controls/COM objects/Java/Python/C APIs I can program to?

Have you had any experience against COBOL apps though? Is the only main difference here that I can't do CSRF, XSS, etc? I can't have a proxy obviously so I am kindof restricted by the screen length constraints. Any ideas about how to get around that?